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(§) Secure communication apparatus and method. 

(57) A communication apparatus (e.g., a fax ap- 
paratus) (Figure 1) provides secure message 
transmission by sending messages having an 
unrestricted portion (e.g., a header) and a res- 
tricted portion (e.g., the body of the message). 
The unrestricted portion is always outputted at 
the receiving apparatus ; however, access to 
the restricted portion is provided only in res- 
ponse to receiving predetermined information 
from a user (e.g., a message recipient). This 
information may include either the use of a 
password or the use of a PIN code following the 
insertion of a user's smart card into the receiv- 
ing apparatus. If the restricted portion is en- 
crypted, the user must either provide the 
decryption key to enable the receiving ap- 
paratus to decrypt the restricted message or 
his/her smart card must perform the actual 
decryption of the restricted message. 
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Technical Field 

This invention relates to communication appara- 
tuses and, more particularly, to a secure communica- 
tion apparatus and method of communicating mes- 
sages. 

Background of the Invention 

Today, facsimile machines are becoming com- 
monplace in many business offices. The new facsi- 
mile machines offer a variety of features which en- 
hance their usefulness. One common feature of prior 
art facsimile machines enables the automatic recep- 
tion of messages even when an addressee is not 
present. However, because anyone can read the re- 
ceived facsimile message, a security problem may 
exist when private or personal facsimile information is 
received. 

U. S. Patent 5,191,611 issued to G.S. Lang on 
March 2, 1993 describes a method and apparatus for 
protecting material on storage media by limiting ac- 
cess to the storage medium. More specifically, the 
storage medium is divided into sectors and each sec- 
tor is assigned to a specific user. Access to that sector 
of the storage medium can be gained only when the 
appropriate sequence of signals is executed. More 
particularly, Lang contemplates using a smart card as 
the device that a user will use to gain access to the 
storage medium. The smart card contains an encryp- 
tion key and processing power, and the two combine 
to interact with the computer that guards the storage 
medium. 

In one embodiment of his invention, shown in 
FIG. 6 of the above-identified patent, Lang describes 
a facsimile apparatus (FIG. 6) for secure computer- 
ized fax (SCFAX) delivery. The sender loads a mes- 
sage/document to be transmitted, enters the sender's 
smart card, and enters the recipient's address. The 
recipient's fax machine is informed of the recipient's 
identity and that fax machine stores the information 
in the proper storage medium sector. In accordance 
with the above description, the storing of the fax data 
in a particular sector insures proper delivery. 

In a more secure embodiment, the data itself is 
encrypted, either with a commonly known encryption 
key, or with the recipient's public key. The encryption, 
is accomplished with the sender interfacing his/her 
smart card with the sending fax machine. 

The problem with the Lang approach is that the 
recipient fax machine must know, beforehand, of the 
identities of the people who will receive confidential 
faxes, so that the faxes can be stored in memory sec- 
tors associated with those people. In practice, the op- 
posite is more likely. That is, a fax machine that is sit- 
uated in a one-person office and communicates faxes 
to that individual does not need enhanced confiden- 
tiality, since no one else has access to the fax ma- 



chine. A fax machine that is open to the public or is 
"semi-open" to the public, on the other hand, could 
greatly benefit from enhanced confidentiality but will 
not know, beforehand, of the identity of those desiring 
5 to use the fax machine. 

Summary of the Invention 

This invention provides the desired enhanced 
confidentiality of message communications (e.g., fax 
documents) by providing unrestricted access to part 
of the message transmission (e.g., a header mes- 
sage) and a restricted access to the remainder of the 
message. The unrestricted portion identifies the 
message recipient and indicates the existence of a re- 
stricted portion of the message. Access to the re- 
stricted portion, illustratively, requires one or more of 
the following: submitting a password to the receiving 
apparatus and using the appropriate key for decrypt- 
ing the restricted portion (when the restricted portion 
has been previously encrypted by the sender). For 
these two approaches, processing power is needed 
at the recipient's apparatus, and that power is provid- 
ed by a processor within the apparatus or, if a higher 
level of security is desired, by a smart card possessed 
by the recipient. 

in one arrangement, all but a header message 
portion (which identifies an intended recipient) of a 
received message is restricted and, optionally, en- 
crypted using either a public key, Krp, of an intended 
recipient of the message or a sender's private or se- 
cret key, Kss. The outputted header message portion 
informs the recipient (and all who care to know) of the 
receipt of a restricted (unencrypted or encrypted) 
message. Access to the restricted message (and de- 
crypting, if necessary) is available after either 1) the 
recipient completes a login and password process or 
2) the recipient inserts his/her smart card into the ap- 
paratus and enters a personal security code which is 
authenticated by the apparatus. According to another 
feature of the invention, the recipient can select which 
of a plurality of received stored encrypted messages 
is to be decrypted and outputted. 

The present invention also enables a message 
45 sender to insert a smart card and access an "address 
book" within it. The sending apparatus displays the 
addressee list (name and number) obtained from the 
sender's smart card and enables the sender to select 
a recipient (and various encryption keys) to whom the 
so sender's message is to be sent. The sender's mes- 
sage may then be encrypted using the recipient's 
public key Krp or sender's private key Kss and sent to 
the recipient's apparatus. 

55 Brief Description of the Drawing 

In the drawing, 

FIG. 1 shows an illustrative block diagram of a 



15 



20 



25 



30 



35 



3 



EP 0 671 830 A2 



4 



communication system and a facsimile appara- 
tus in accordance with the present invention; 
FIG. 2 is a flow chart showing the procedure for 
the transmission of a secure facsimile message; 
FIGS. 3A and 3B are flow charts describing the 
sequence of operations for a secure receiving 
facsimile apparatus; 

FIG. 4 shows illustrative data tables and messag- 
es utilized by the present invention; and 
FIG. 5 shows a block diagram of a smart card util- 
ized by the present invention. 

Detailed Description 

At the outset it should be noted that while the 
present invention is illustratively described for use in 
a facsimile (fax) apparatus (FIG. 1), it can, more gen- 
erally, be readily adapted for use in a multi-media ap- 
paratus wherein voice, text, fax, graphics or video 
messages may be sent between a sender and reci- 
pient locations. 

Shown in FIG. 1 is a block diagram of an illustra- 
tive network including two facsimile apparatuses 100 
which connect to telephone switch network 1 90 via fa- 
cilities 101 and 191. FIG. 1 also shows an illustrative 
block diagram of an embodiment of a facsimile appa- 
ratus 100 useful in describing the present invention. 
In the drawing, Network Control Unit (NCU) 104 con- 
trols in a known manner the interface to facility 101 
which connects the facsimile apparatus to a tele- 
phone switch network 190. Facility 101 may be one 
duplex facility used both to send and receive facsi- 
mile messages or may be two simplex facilities 102 
and 103, one to receive facsimile messages and one 
to dial-out over, respectively. NCU 104 enables sig- 
naling and voice communications, via telephone 105, 
and signaling and data communication, via communi- 
cation unit 110 and control unit 120, between the fac- 
simile machine 100 and the network 190. 

The control unit 1 20 controls the overall facsimile 
apparatus 100 operation. Control unit 120 operates 
under program control to control the operations of 
NCU 104, communication unit 110, operator panel 
140, output unit 150, and input or scanning unit 160. 
Control unit 120 includes a microcomputer 121, RAM 
122 and ROM 123 which together store the data ta- 
bles of FIG. 4 as well as the programs necessary to 
perform the standard facsimile functions and the va- 
rious features and functions (FIGS. 2 and 3) of the 
present invention. 

The communication unit 110 contains a modem 
for modulating and demodulating an image signal and 
a decoder/encoder for decoding and encoding the im- 
age signal. This unit also contains a Dual Tone Multi 
Frequency (DTMF) and dial pulse generator 111 
which is used to dial outgoing calls. 

The operator panel 140 contains buttons 141 
(e.g., send button) or switches and a display 142 



which enable the user to input information to and re- 
ceive information from the facsimile apparatus. 

The output unit 150 is typically a printer incorpo- 
rated in the facsimile apparatus and is used in a well- 

5 known manner to generate a hard copy of the re- 
ceived facsimile message. The input or scanning unit 
160 is used to read, in a well-known manner, the im- 
age of the document to be transmitted by the facsi- 
mile apparatus. The smart card interface (or reader) 

w 1 70 enables any of a variety of smart cards to be uti I- 
ized by the present invention. The smart card identi- 
fies the user and enables the user to retrieve his/her 
fax messages from facsimile apparatus 100. Illustra- 
tively, the smart card 175 and interface 170 may be 

15 a well-known AT&T smart card Computer Security 
System (CSS) adapted to implement the features of 
the present invention. The AT&T CSS is a user au- 
thentication system in which the user calls the system 
in the usual manner and the smart card responds to 

20 dynamic challenges from the system to prove the au- 
thenticity of the smart card. The user must then enter 
the proper PIN code to verify the user's authenticity. 
Only when the smart card and the user identity have 
been authenticated is access allowed to the system. 

25 Shown in FIG. 5 is an illustrative block diagram 

of smart card 1 75. The smart card 1 75 includes a con- 
tactless interface 501 which provides communication 
capability with the smart card interface 170. A micro- 
processor 502 connects to interface 501 and to mem- 

30 ory unit 503 and controls the operation of smart card 
175. The memory unit 503 includes programs for im- 
plementing the above-described CSS authentication 
functions 505 as well as decrypt programs 506 and 
Tables 507 utilized for performing the function of the 

35 present invention. Microprocessor 502 controls the 
smart card 1 75 to perform data manipulation, card au- 
thentication as well as reception, decryption and 
transmission of messages in accordance with the 
present invention. 

40 Because the operations of the above-mentioned 

circuits of facsimile apparatus 100 of FIG. 1 are well 
known, their operation will not be further described. 
However, where the operation of any of these units is 
modified in accordance with the present invention, 

45 that units operation will be described more complete- 
ly. Thus, using the figures and description of this 
specification as a guide, the operations of the present 
invention should be integrated into the hardware and 
program control structure of the facsimile apparatus 

so so as to compatibly cooperate with other features and 
operations of the facsimile apparatus. 

Shown in FIG. 2 is a flow chart describing the 
transmission of a secure facsimile message. With 
joint reference to FIGS. 1 and 2, we describe the op- 

55 eration of a facsimile apparatus 100 in the transmit 
mode. In step 201, the procedure is started. In step 
203, the sender inserts his or her smart card 1 75 into 
the smart card interface 170. The facsimile appara- 
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tus, in step 203, authenticates the sender's smart 
card, illustratively in the manner described in the 
AT&T CSS arrangement. In step 205, the sender en- 
ters a PIN code and the facsimile apparatus authen- 
ticates the sender's identity. Assuming that the smart 
card and sender's identity have been authenticated, 
in step 207 the facsimile apparatus accesses the sen- 
der's smart card and displays an address book (Table 
401 of FIG. 4) on display 142. Table 401 includes a list 
of recipient names, facsimile numbers, telephone 
numbers and public keys. In step 209, if the size of Ta- 
ble 401 exceeds the display capability of display 142, 
the system permits the sender to step the display 142 
to the next field or page of the addressee list. This is 
done in step 211. 

In step 213, the sender selects the recipient to 
whom a facsimile message is to be sent. In step 215, 
facsimile apparatus 100 uses the selected recipient 
identification to obtain and display data from the sen- 
der's smart card 1 75 (Table 401 ). In step 21 7, the sen- 
der has an opportunity to add or change data in Table 
401. In step 219, the sender adds or changes data in 
Table 401. In step 221, the sender inputs the docu- 
ment or message into the fax apparatus and, if appro- 
priate, sets a restrict flag and encrypt flag (if it is de- 
sirable to restrict and encrypt the body of the trans- 
mitted fax message) and then presses the send but- 
ton. 

According to the invention, in step 223, the head- 
er portion of the message is sent unrestricted while 
the body of the message may be sent either unre- 
stricted (restrict flag is 0) or restricted (restrict flag is 
1 ). Moreover, a restricted message can be sent unen- 
crypted (encrypt flag is 0) or encrypted (encrypt flag 
is 1). Additionally, encrypted messages may be en- 
crypted in one of two different ways- for example, by 
using a recipient's public key Kpp (Kr P encrypt flag is 
1 ) or by using a sender's private key Kss (Kss encrypt 
flag is 1). The actual encryption keys Krr and 
obtained, respectively, from Table 401 and Table 402. 
The restrict and encrypt flags are sent as part of the 
header message (see Table 403). 

With reference to 403, there is shown an illustra- 
tive header message including data fields such as re- 
cipient's name and facsimile number, date/time, sen- 
der's name and facsimile number, sender's public key 
(K SP ), a message identification number, a restrict 
flag, recipients public key encrypt flag ( Kr P ), and 
sender's private key encrypt flag (Kss). If desirable, 
other special recipient passwords (special password) 
known only to the sender and recipient can be sent to 
the receiving fax apparatus, as part of the header 
message, and stored as other data in the recipient Ta- 
ble 410. This information would not, however, be out- 
putted to Table 404. This special password could be 
used to further verify the identity of the recipient, prior 
to output ting the restricted portion of the message to 
the recipient. 



In step 224 it is determined if the restrict flag is 
set. If it is not set, then in step 229 the document or 
message is sent unencrypted. In step 224, if the re- 
strict flag is set then in step 225 it is determined if the 

5 encrypt flag is set. If it is not, then in step 229 the sen- 
der's document or message is sent unencrypted. If 
either the Krp or K ss flag is set, then in step 227 the 
header message is sent unencrypted and the docu- 
ment or body of the message is sent encrypted, using 

10 the appropriate recipient's public key Krp or the sen- 
der's private key K S s- When the document or mes- 
sage is encrypted, it is transmitted over the facility as 
a random sequence of data bits to the receiving fax 
apparatus or any apparatus monitoring the facility. 

15 This random sequence of data bits can only be en- 
crypted when the proper key is used, as will be descri- 
bed in later paragraphs. 

With joint reference to FIGS. 1 and 3A, we de- 
scribe the operation of a facsimile apparatus 100 

20 while in the receive mode. In step 301, the facsimile 
message is received. Shown in Table 404 is a listing 
of header messages which are displayed or printed at 
fax apparatus 100. Each header message is associ- 
ated with a fax message or document received by fax 

25 apparatus 100. In step 303, it is determined if the re- 
ceived fax message, e.g., 405, has a restricted por- 
tion (by checking the restrict bit of the header mes- 
sage). If there is no restricted portion (e.g., as in mes- 
sage 407), then in step 305 the fax apparatus deter- 

30 mines if the printer output unit 150 is busy. If it is not 
busy, the header message of Table 404 and the fac- 
simile message are outputted in step 307. If, how- 
ever, the printer unit 150 is busy, then in step 309, the 
fax apparatus 100 stores the facsimile message. 

35 Thereafter, in step 311, the facsimile apparatus de- 
termines whether or not the printer 150 is busy. If it is 
busy, control returns to step 311 until the printer unit 
150 is no longer busy, at which time the message is 
outputted in step 313. 

40 Returning to step 303, if it is determined that the 

received message is restricted (such as messages 
405, 406, or 408), then in step 325 the restricted mes- 
sage is stored in memory (RAM 122) and associated 
with the appropriate header message of Table 404. In 

45 step 327, it is determined if the printer unit is busy. 
When the printer unit 1 50 is not busy, then in step 329 
the apparatus outputs and/or displays the header 
message, illustratively in the form shown in Table 
404. In FIG. 3B, step 331, the user or recipient inserts 

so his/her smart card 175 into smart card interface 170 
and enters his/her PIN number via operator panel 
140. (While the following description describes a re- 
cipient as the user of the fax apparatus, a user know- 
ing a recipient's login and password or having a reci- 

55 pienfs smart card and PIN number could also use the 
fax apparatus.) If the recipient has properly inserted 
his/her smart card and entered the proper PIN num- 
ber, then in step 339 the validity of the smart card and 
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PIN is determined. (This is accomplished using au- 
thentication programs stored in facsimile apparatus 
100 and smart card 175.) If the smart card and PIN 
number are not valid, then the operation is terminated 
in step 337. If the smart card and PIN number are val- 5 
id, then control proceeds to step 341. 

Each header message 405-408 of Table 404 may 
include entries for all of the data fields. In the event 
there have been several messages received for dif- 
ferent recipients, as is shown in Table 404, the oper- w 
ator panel 140 includes buttons for enabling a reci- 
pient to select his/her messages for output from the 
plurality of messages listed in Table 404. In step 341 , 
the recipient determines if he/she has multiple mes- 
sages. If the recipient does not have multiple messag- 15 
es, control passes to step 344; otherwise control 
passes to step 343. In step 343, the recipient selects 
which of his/her received messages is to be output- 
ted. In step 344, fax apparatus 100 determines if the 
selected message is encrypted using the recipient's 20 
public key Krp (i.e., by checking the status of Krp 
flag). If the selected message is encrypted using the 
key KRp_(such as message 403 in Table 404), then 
control passes to step 345. In step 345, the selected 
message is outputted via smart card interface 1 70 to 25 
smart card 1 75. 

The smart card 175 (with joint reference to FIGS. 
3 and 5) illustratively receives the encrypted mes- 
sage via contactless interface 501. Microprocessor 
502 obtains the recipients private or secret key K RS 30 
from memory 503 and decrypts the encrypted mes- 
sage using key Kr S - As noted, recipient's public key 

was used to encrypt the transmitted facsimile 
message. The keys Krp and K RS each represent en- 
cryption functions that are inverses of each other. As 35 
previously noted, a random sequence results when a 
message is encrypted with the encryption function of 
key Krp. When the decrypt function of Kr S is applied 
to the message encrypted using function Krp, the 
original message results. Thus, mathematically K RS X 40 
Krp (original message) = the original message. Such 
an encryption arrangement is described in U.S. pa- 
tent 4,590,470 issued on May 20, 1986 to A. R. Koe- 
nig. 

In a similar manner, a message encrypted using 45 
sender's private key Kss can be decrypted only by us- 
ing the sender's public key K$p. 

Thus, in step 347, when microprocessor 502 ap- 
plies the key K RS to a message that has been encrypt- 
ed using the recipients public key Krp, the resulting so 
decrypted message is the original message sent by 
the sender. Thereafter, in step 349 the recipient's 
smart card 175 outputs the decrypted message via 
the smart card interface 170 to fax apparatus 100. In 
step 351, facsimile apparatus 100 outputs the de- 55 
crypted message via printer unit 150. In step 353, the 
recipient determines if there are additional messages 
for the recipient If there are, then control returns to 



step 343, otherwise the receive mode is terminated in 
step 355. 

Returning to step 344, if the Krp flag is not set, 
then step 381 is performed. In step 381, fax appara- 
tus 100 determines if the selected message is en- 
crypted using the sender's private key Kss (by check- 
ing if the Kss flag is set in the selected header mes- 
sage of Table 404). If yes (such as with message 405 
of Table 404), then in step 382, the encrypted mes- 
sage is outputted to smart card 175. In step 383, the 
smart card 175 decrypts the encrypted message us- 
ing the sender's public key Ksp to obtain the original 
message. In step 384 the smart card 175 outputs the 
decrypted message to fax apparatus 100. Thereafter 
fax apparatus 100 outputs the decrypted message in 
step 351 as previously described. 

Returning to step 381, if the Kss flag is not set, 
then the restricted portion of the fax message was not 
encrypted (e.g., such as message 408 of Table 404 
where both the Kr P and Kss flags are not set), and 
control returns to step 363. In step 363. the fax appa- 
ratus outputs the unencrypted restricted portion of 
the message via printer 1 50. In step 364 it determines 
if more messages exist. If more messages exist, con- 
trol returns to step 330; otherwise the received pro- 
cedure is terminated in step 365. ~" 

Returning to step 331, if the recipient has not in- 
serted the smart card in step 331, then step 304 is 
performed. In step 334, the recipient must enter 
his/her login and password and other information 
(such as the special password of message 403, if ap- 
propriate). If the login and password are not correctly 
entered, then fax apparatus 100 determines, in step 
335, whether or not it should time out. If it does not 
time out, control returns to step 331 . If a time out has 
occurred, then fax apparatus 100 terminates the op- 
eration in step 337. Note, even after termination, fax 
apparatus 100 may continue to display the^ header 
messages of Table 404 to identify messages previ- 
ously received for each recipient. Obviously, a reci- 
pient can select his/her messages for retrieval at any 
time. Thus, step 331 need not immediately follow step 
329. 

In step 334, the recipient's login and password 
(and, optionally, other special passwords, if utilized) 
are checked by comparing them with the data entered 
in Table 410. If correctly entered, then in step 360 the 
recipient checks if multiple messages exist. If only 
one message exists, then step 362 is performed; 
otherwise, the recipient selects the desired message 
in step 361 and then step 362 checks if the restricted 
message is encrypted. Note, for security reasons, we 
assume that the message was encrypted using the 
sender's private key Kss, since then the user only has 
to enter the sender's public key Ksp to decrypt the 
message. (If the restricted message was encrypted 
using the recipients public key Krp, the recipient 
would then have to enter his/her private key Kr S into 
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apparatus 1 00. Such an arrangement may be less se- 
cure to the recipient.) 

Returning to step 362, if the K ss flag is set, then 
in step 372 the recipient enters the sender's public 
key Ksp. In step 373, fax apparatus 100 decrypts the 
restricted message, using key K SP , to obtain the orig- 
inal message. That is, Ksp X K ss (message) = the orig- 
inal message sent by the sender. Thereafter, in step 
363, fax apparatus 100 outputs the decrypted re- 
stricted message via printer unit 1 50. If more messag- 
es exist, in step 364 control returns to step 361 ; other- 
wise, the receive mode is terminated. 

Returning to step 362, if the K ss flag is not set, 
then the restricted message does not need to be de- 
crypted. Hence, in step 363, the fax apparatus 100 
outputs the restricted portion of the message. Proc- 
essing continues from step 363 in the manner previ- 
ously described. 

What has been described is merely illustrative of 
the application of the principles of the present inven- 
tion. Other arrangements and methods can be imple- 
mented by those skilled in the art without departing 
from the scope of the present invention. 



BY 

means for receiving and storing the mes- 
sage including an unrestricted portion and a re- 
stricted encrypted portion; 
5 first means for outputting the unrestricted 

portion of the received message to a user, the un- 
restricted portion outputted to the user including 
a sender's public key Ksp; 

means for decrypting said restricted por- 
10 tion in response to a sender's public key Ksp en- 

tered by said user and 

second output means for outputting said 
decrypted restricted portion to said user. 

15 3. The communication apparatus of claim 2 wherein 
the unrestricted portion includes information indi- 
cating whether or not the restricted portion is en- 
crypted. 

20 4. The communication apparatus of claim 3 wherein 
the unrestricted portion includes information indi- 
cating a type of encryption key used to encrypt 
the restricted portion. 



Claims 

1. A communication apparatus for receiving a sen- 
der's message over a facility, CHARACTERIZED 
BY 

means (301) for receiving and storing the 
message including an unrestricted portion and a 
restricted portion; 

first output means (150, 329) for output- 
ting the unrestricted portion of the received mes- 
sage to a user, and 

second output means (150, 351), respon- 
sive to predetermined information received from 
the user, for outputting the restricted portion of 
the message to the user; 

a smart card interface means (501) and 
wherein 

said predetermined information includes a 
user-entered personal identification number 
(PIN) (331) entered after the user's smart card is 
inserted into said interface; 

means (345) responsive to said received 
PIN for enabling said interface means to output 
said restricted encrypted portion to said smart 
card for decrypting by said smart card and where- 
in 

said interface means receives a decrypted 
restricted portion from said smart card, via said 
interface, for output via said second output 
means. 

2. A communication apparatus for receiving a sen- 
der's message over a facility, CHARACTERIZED 



25 5. The communication apparatus of claim 2 wherein 
a plurality of messages are received and 
wherein 

the unrestricted portion includes recipient 
identification for each received message and 
30 wherein 

said predetermined information identifies 
at least one of the plurality of fax messages to be 
outputted to the user. 

35 6. The communication apparatus of claim 2 wherein 
said communication apparatus is a fax appara- 
tus. 

7. The communication apparatus of claim 2 wherein 
40 said communication apparatus is a multi-media 

apparatus. 

8. A communication apparatus for transmitting a 
message over a facility, CHARACTERIZED BY 

45 first input means for receiving a first user 

input to be transmitted as a message; 

second input means for receiving a second 
user input requesting that the message delivery 
be restricted to an intended recipient, and re- 

so questing that the message be encrypted using a 

user-selected encryption key; and 

means, responsive to said second user in- 
put, for sending a message including an unre- 
stricted portion and a restricted portion, the un- 

55 restricted portion identifying an intended reci- 

pient and one or more encryption flags indicating 
a type of user-selected encryption key used to 
encrypt the restricted portion. 
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9. The communication apparatus of claim 8 wherein 

said user-selected encryption key is the 
intended recipient's public key Krp as indicated 
by said one or more encryption flags. 

5 

10. The communication apparatus of claim 8 wherein 

said user-selected encryption key is the 
user's private key Kss as indicated by said one or 
more encryption flags. 

10 

11. The communication apparatus of claim 8 further 
including 

a smart card interface and wherein 

said second user input includes recipient 
information received from a smart card inserted 15 
into said interface. 

1 2. The communication apparatus of claim 1 0 where- 
in the user's public key is sent as part of the un- 
restricted portion of the message. 20 
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